Iframe credentialless give developers a way to load documents in third party iframe using new and ephemeral context. In return, the Cross-Origin-Embedder-Policy (COEP) embedding rules can be lifted.
This way, developers using COEP can now embed third party iframes that do not.
After version M110, Iframe credentialless is enabled by default.
On version below or equal to M109, it was named anonymous iframe instead. It can be enabled using the origin trial or feature flags.
|<= M109||>= M110|
|Activation||origin trial or command line flag||enabled by default|
|iframe attribute||<iframe anonymous>||<iframe credentialless>|
window.credentialless reflects whether the document was
loaded inside an iframe credentialless, by its parent...
The attribute was renamed several time: #1, #7. Old versions of Chrome were using a different name.
...or one of its ancestors
Inside an iframe credentialless, documents are loaded from a new and ephemeral context. In particular, it is different from the one associated with its origin. It is also different for every new top-level document.
<iframe credentialless>Please the page, and verify credentialless iframe's cookies are gone.
Cross-Origin-Embedder-Policy (COEP) embedding rules are recursive. If a document uses COEP, then its children must also use COEP.
Waiting for third party to deploy COEP is painful for developers. This is often out of their control.
Iframe credentialless lift this restrictions, at the cost of loading the document from a fresh context everytime.
<iframe> with COEP:require-corp